Automating Induction for Solving Horn Clauses Hiroshi Unno, Sho Torii, and Hiroki Sakamoto University of Tsukuba fuhiro,sho,[email protected] fact ti * r Comple t * te n * A A te is W E s e n C l * l o D C o * V * c u e A m s E u e e C n R t v e o d t * y * s E a a l d u e a Abstract. Verification problems of programs in various paradigms can t be reduced to problems of solving Horn clause constraints on pred- icate variables that represent unknown inductive invariants. This pa- per presents a novel Horn constraint solving method based on inductive theorem proving: the method reduces Horn constraint solving to valid- ity checking of first-order formulas with inductively defined predicates, which are then checked by induction on the derivation of the predicates. To automate inductive proofs, we introduce a novel proof system tai- lored to Horn constraint solving, and use a PDR-based Horn constraint solver as well as an SMT solver to discharge proof obligations arising in the proof search. We prove that our proof system satisfies the sound- ness and relative completeness with respect to ordinary Horn constraint solving schemes. The two main advantages of the proposed method are that (1) it can deal with constraints over any background theories sup- ported by the underlying SMT solver, including nonlinear arithmetic and algebraic data structures, and (2) the method can verify relational specifications across programs in various paradigms where multiple func- tion calls need to be analyzed simultaneously. The class of specifications includes practically important ones such as functional equivalence, asso- ciativity, commutativity, distributivity, monotonicity, idempotency, and non-interference. Our novel combination of Horn clause constraints with inductive theorem proving enables us to naturally and automatically axiomatize recursive functions that are possibly non-terminating, non- deterministic, higher-order, exception-raising, and over non-inductively defined data types. We have implemented a relational verification tool for the OCaml functional language based on the proposed method and obtained promising results in preliminary experiments. 1 Introduction Verification problems of programs written in various paradigms, including imper- ative [30], logic, concurrent [28], functional [47, 54, 55, 59], and object-oriented [36] ones, can be reduced to problems of solving Horn clause constraints on predi- cate variables that represent unknown inductive invariants. A given program is guaranteed to satisfy its specification if the Horn constraints generated from the program have a solution (see [27] for an overview of the approach). This paper presents a novel Horn constraint solving method based on induc- tive theorem proving: the method reduces Horn constraint solving to validity checking of first-order formulas with inductively defined predicates, which are then checked by induction on the derivation of the predicates. The main technical challenge here is how to automate inductive proofs. To this end, we propose an inductive proof system tailored for Horn constraint solving and a technique based on SMT and PDR [10] to automate proof search in the system. Furthermore, we prove that the proof system satisfies the soundness and relative completeness with respect to ordinary Horn constraint solving schemes. Compared to previous Horn constraint solving methods [27, 29, 32, 33, 41, 48, 52, 55, 57] based on Craig interpolation [21, 42], abstract interpretation [20], and PDR, the proposed method has two major advantages: 1. It can solve Horn clause constraints over any background theories supported by the underlying SMT solver. Our method solved constraints over the the- ories of nonlinear arithmetic and algebraic data structures, which are not supported by most existing Horn constraint solvers. 2. It can verify relational specifications where multiple function calls need to be analyzed simultaneously. The class of specifications includes practically important ones such as functional equivalence, associativity, commutativity, distributivity, monotonicity, idempotency, and non-interference. To show the usefulness of our approach, we have implemented a relational ver- ification tool for the OCaml functional language based on the proposed method and obtained promising results in preliminary experiments. For an example of the reduction from (relational) verification to Horn con- 1 straint solving, consider the following OCaml program Dmult . let rec mult x y = if y=0 then 0 else x + mult x (y-1) let rec mult_acc x y a = if y=0 then a else mult_acc x (y-1) (a+x) let main x y a = assert (mult x y + a = mult_acc x y a) Here, the function mult takes two integer arguments x, y and recursively com- putes x × y (note that mult never terminates if y < 0). mult acc is a tail- recursive version of mult with an accumulator a. The function main contains an assertion with the condition mult x y + a = mult_acc x y a, which rep- resents a relational specification, namely, the functional equivalence of mult and mult acc. Our verification problem here is whether for any integers x, y, and a, the evaluation of main x y a, under the call-by-value evaluation strat- egy adopted by OCaml, never causes an assertion failure, that is 8x; y; a 2 ∗ N: main x y a 6−! assert false. By using a constraint generation method for functional programs [55], the relational verification problem is reduced to the constraint solving problem of the following Horn clause constraint set Hmult : 8 9 < P (x; 0; 0);P (x; y; x + r) ( P (x; y − 1; r) ^ (y 6= 0); = Q(x; 0; a; a);Q(x; y; a; r) ( Q(x; y − 1; a + x; r) ^ (y 6= 0); : ?( P (x; y; r1) ^ Q(x; y; a; r2) ^ (r1 + a 6= r2) ; 1 Our work also applies to programs that require a path-sensitive analysis of intricate control flows caused by non-termination, non-determinism, higher-order functions, and exceptions but, for illustration purposes, we use this as a running example. 2 Here, the predicate variable P (resp. Q) represents an inductive invariant among the arguments and the return value of the function mult (resp. mult acc). The first Horn clause P (x; 0; 0) is generated from the then-branch of the definition of mult and expresses that mult returns 0 if 0 is given as the second argument. The second clause in Hmult , P (x; y; x+r) ( P (x; y −1; r)^(y 6= 0) is generated from the else-branch and represents that mult returns x+r if the second argument y is non-zero and r is returned by the recursive call mult x (y-1). The other Horn clauses are similarly generated from the then- and else- branches of mult acc and the assertion in main. Because Hmult has a satisfying substitution (i.e., solution) θmult = fP 7! λ(x; y; r):x × y = r; Q 7! λ(x; y; a; r):x × y + a = rg for the predicate variables P and Q, the correctness of the constraint generation [55] guarantees that the evaluation of main x y a never causes an assertion failure. The previous Horn constraint solving methods, however, cannot solve this kind of constraints that require a relational analysis of multiple predicates. To see why, recall the constraint in Hmult , ?( P (x; y; r1)^Q(x; y; a; r2)^(r1 +a 6= r2) which asserts the equivalence of mult and mult acc, where a relational analy- sis of the two predicates P and Q is required. The previous methods, however, analyze each predicate P and Q separately, and therefore must infer nonlin- ear invariants r1 = x × y and r2 = x × y + a respectively for the predicate applications P (x; y; r1) and Q(x; y; a; r2) to conclude r1 + a = r2 by canceling x × y, because x and y are the only shared arguments between P (x; y; r1) and Q(x; y; a; r2). The previous methods can only find solutions that are expressible by efficiently decidable theories such as the quantifier-free linear real (QF LRA) and integer (QF LIA) arithmetic2, which are not powerful enough to express the above nonlinear invariants and the solution θmult of Hmult . By contrast, our induction-based Horn constraint solving method can di- rectly and automatically show that the predicate applications P (x; y; r1) and Q(x; y; a; r2) imply r1 + a = r2 (i.e., Hmult is solvable), by simultaneously an- alyzing the two. More precisely, our method interprets P; Q as the predicates inductively defined by the definite clauses (i.e., the clauses whose head is a pred- icate application), and uses induction on the derivation of P (x; y; r1) to prove the conjecture 8x; y; r1; a; r2:(P (x; y; r1)^Q(x; y; a; r2)^(r1 +a 6= r2) )?) denoted by the goal clause (i.e., the clause whose head is not a predicate application). The use of Horn clause constraints, which can be considered as an Interme- diate Verification Language (IVL) common to Horn constraint solvers and tar- get languages, enables our method to verify relational specifications across pro- grams written in various paradigms. Horn constraints can naturally axiomatize various advanced language features including recursive functions that are par- tial (i.e., possibly non-terminating), non-deterministic, higher-order, exception- raising, and over non-inductively defined data types (recall that Hmult axioma- tizes the partial functions mult and mult acc, and see the full version [58] for more examples). Furthermore, we can automate the axiomatization process by using program logics such as Hoare logics for imperative and refinement type sys- tems [47, 54, 55, 60] for functional programs. In fact, researchers have developed 2 See http://smt-lib.org/ for the definition of the theories.